Scalable Installation Options

NAV 2009 Three-Tiered Environment

There are two configurations for NAV 2009
three-tiered installation on multiple servers available -
'Three Tiers On Two Computers' and 'Three Tiers on Three
Computers'. The key characteristic of the first configuration is
that the two server tiers - Microsoft Dynamics NAV Server and SQL
Server - are on the same computer. If you install Microsoft
Dynamics NAV Server and SQL Server on separate computers ('Three
Tiers on Three Computers' configuration), you must set up
delegation, to enable clients to use the Microsoft Dynamics NAV
Server service's credentials while interacting with a SQL Server
database.

During the installation you can encounter
the configuration problems. The information below will help
you to solve them.

In case the MS Dynamics NAV 2009 three-tier
environment is used with webservices connection and your website is
in decentral hosting environment (separate domains for webserver
and NAV server) the following is required:

VPN connection must be set up between these environments;

These domains have to be made trusted.

This will allow to delegate user rights (who runs the
web application) to the MS Dynamics NAV.

Usage of HTTPS without a VPN in the described scenario does not
work.

First check the accounts which are running the NAV and SQL
services. Make notes of domain account names, machine names, and
FQDN (Fully qualified domain name).

Check for Incorrect Service Principal Names
(SPN's)

When the NAV Server and the database are on separate machines
and the NAV Service is running under a Domain Account. Two SPN's
have to be set up for the NAV Service:

Replace 'yourDomain', 'yourCompany', and 'yourUser' with the
appropriate values.

In order to set up the second service (NAV 2009 Web
Service) fill in the following command:

setspn -A http/NAVSERV.yourDomain.yourCompany.com
yourDomain\yourUser

Replace 'NAVSERV' with the name of the computer running
Microsoft Dynamics NAV Server, and replace 'yourCompany',
'yourDomain', and 'yourUser' with the actual company, domain, and
user account names.

SPN for SQL Service is not needed if SQL is running under the
NetworkService account.

SPN for SQL Server is needed if SQL Server is running under a
Domain account - see 'SQL SPN' at the end of this chapter.

When the NAV Server and the database are on separate machines,
and the NAV Service is running under NetworkService account:

No SPN is needed for the NAV Service;

SPN for SQL Service is not needed if SQL is running under
NetworkService;

SPN for SQL Server is needed if SQL Server is running under a
Domain account - see 'SQL SPN' at the end of this chapter.

Check Delegation

When running the NAV Service under a Domain Account Delegation
has to be set up for the account running the NAV service.

The Delegation tab will only be present after adding the
SPN to the domain user account.

Click 'Start', then click 'Run';

Type in 'dsa.msc' and click 'OK';

Expand the 'Domain' and then click on 'Users';

Locate the domain user account you are using, right click and
select 'Properties';

Under that 'Delegation' tab, select the 'Trust this user for
delegation to any service (Kerberos only)', then click 'OK'. (This
is not constrained delegation as mentioned in the Walkthrough, but
this makes it a little easier to setup delegation. You can always
come back after it is setup and working to implement constrained
delegation);

Close the 'Active Directory Users and Computers'
window.

For Constrained delegation, select Trust this user for
delegation to specified services only and then select
MSSQLSvc.

When running the NAV Service under NetworkService account,
Delegation has to be set up for the machine running the NAV
service.

Click 'Start', and then click 'Run';

Type in 'dsa.msc' and click 'OK';

Expand the 'Domain' and then click on 'Computers';

Locate the computer name, right click and select
'Properties';

Under that 'Delegation' tab, select the 'Trust this machine for
delegation to any service (Kerberos only)', then click 'OK';

Close the 'Active Directory Users and Computers' window.

Check SQL Logins and OCL

Adding the login(s) to SQL Server and setting up the Object
Change Listener (OCL):

OCL is not required if the NAV Server and SQL Server are on
the same machine and the NAV service is running under Network
Service account.

If using a Domain User to run services, make sure the login
has been added to both SQL Server and NAV. Also check that
user has Full Control to the server folder (the default path to the
server folder is the following: C:\Program Files\Microsoft Dynamics
NAV\60\Service).

The account may already exist in SQL Server but the
permissions must be manually set correctly:

If the NAV server and SQL Server are on different machines and
the Network Service account is running the NAV Service, then the
Login and OCL must be set up using the same steps but for the
machine account rather than the domain user.
Use the steps described earlier, but replace the domain account
with the machine account with the following form:
<domain>\<computername>$.

Check the configuration of Delegation for the
RTC

Change the 'ClientUserSettings.config' on the computer running
the RTC, under the current user's profile, to define that a domain
user account is to be used when connecting to the NAV Service tier.

Add the following key to the file:
<add key="DelegationInfo" value="DomainUser"></add>

There are two possible values: 'NetworkService' and
'DomainUser'. To enable delegation, set the parameter to
'DomainUser'.

This will need to be repeated for all workstations that will
be using the RTC.

After confirming all items above and making the necessary
changes, be sure to stop and start the NAV Server service before
you attempt to re-connect using the RTC. If you still encounter the
error message, remember that Kerberos tickets last for ten hours,
so if you add/change the SPN, you may either have to wait for any
existing tickets to expire or download KerbTray and attempt to
expire any existing tickets. This is found in the Windows Server
2003 Resource Kit, which can be downloaded from
here.

Check the SQL Service SPN
(optional)

An SPN for SQL Server is composed of the following
elements:

ServiceClass: This identifies the general class of service.
This is alwaysMSSQLSvc
for SQL Server;

Host: This is the fully qualified domain name DNS of the
computer that is running SQL Server;

Port: This is the port number that the service is listening
on;

yourDomain\yourUser: This is the user which runs the
service.

For example, a typical SPN for a computer that is running SQL
Server is:

Product Versions

Sana Software Links

Sana Commerce does not accept any liability for the content of this website, or for the consequences of any actions taken on the basis of the information provided. The information below should be interpreted as an example. No rights can be derived from this information.
Sana Software – e-Commerce for Microsoft Dynamics